Provably Secure Identity-Based Authenticated Key
Agreement Protocols Without Random Oracles
Shengbao Wang1, Zhenfu Cao1, and Kim-Kwang Raymond Choo2
1Department of Computer Science and Engineering, Shanghai Jiao Tong University Shanghai, China
{shengbao-wang,cao-zf}@cs.sjtu.edu.cn 2Independent Security Researcher
Canberra, Australia raymond.choo.au@gmail.com
Abstract. We present the first provably secure ID-based key agreement pro-tocol, inspired by the ID-based encryption scheme of Gentry, in the standard (non-random-oracle) model. We show how this key agreement can be used in ei-ther escrowed or escrowless mode. We also give a protocol which enables users of separate private key generators to agree on a shared secret key. All our proposed protocols have comparable performance to all known protocols that are proven secure in the random oracle model.
Keywords:identity-based cryptography, authenticated key agreement, bilinear pairings, standard model
1
Introduction
Key agreement protocols are fundamental for establishing communications between two parties over an insecure network. If in a protocol one party is assured that no other party other than the designated party (or parties) may gain access to the particular established secret key, then the protocol is said to provide implicit key authentication (IKA). An authenticated key agreement (AK) protocol provides mutual IKA between (or among) parties. In addition, a key agreement protocol is said to provide key confirmation (of B to A) if A is assured that B actually possesses the session key. An AK protocol that provides mutual key confirmation is called an authenticated key agreement with key confirmation protocol (or an AKC protocol). Although key agreement protocols can employ either private or public-key cryptography, we consider two-party key agreement protocols in the public-key setting in this paper.
The idea ofidentity(ID)-based cryptography was first introduced by Shamir in 1984 [25]. The basic idea behind an ID-based cryptosystem is that end users can choose an arbitrary string (e.g., email addresses or other online identifiers) as their public keys. This eliminates much of the computational overhead associated with key management [20]. In 2001, Boneh and Franklin [1] gave the first fully functional solution for ID-based encryption (IBE) – an variant of the ElGamal [15] encryption scheme – using the pairing on elliptic curves. Since then, numerous ID-based AK protocols have been proposed (e.g., [26,27,13,24,12]).
Motivations.
2. Most ID-based key agreement protocols have the inherent property of session key escrow (i.e., the private key generator (PKG) can recover all the session key agreed by its users). As noted in [20], this property may either be acceptable or unacceptable depending on individual situations. For example, key escrow is essential in situations where confidentiality and audit trail are legal requirements. There are, however, situations where key escrow is preferred to be “switched” off for privacy concerns [20].
3. Key agreement between different networks/domains may be desirable in some situ-ation. For example, for the encrypted VoIP to work on a global scale, there must be compatibility between different networks. Therefore, key agreement between sepa-rate networks/domains (i.e., with different PKGs) is crucial.
Contributions. Based on the IBE system due to Gentry [17], we propose a new signature-/encryption-less ID-based AK protocol. We then prove the protocol secure in the standard model. This is, to the best of our knowledge, the first ID-based pro-tocols to be proven secure in the standard model. Two other extensions to this basic protocol are also provided.
1. Efficient protocols that can be instantiated with or without session key escrow. 2. An efficient protocol that allows users registered with different private key generators
(PKGs) to establish a shared session key.
Our design strategy. Signature-/encryption-less key agreement protocols have nu-merous advantages, and namely from an efficiency point of view. They are suitable for some constrained environments [19]. A common strategy of constructing a signature-/encryption-less authenticated key agreement protocol using the ElGamal [15] public key encryption scheme was first suggested by Matsumoto, Takashima and Imai. In [22], the authors designed several authenticated Diffie-Hellman key agreement protocols (i.e., to provide the original Diffie-Hellman protocol with key authentication), which is well-known as the MTI key agreement family. In particular, the MTI/A0 protocol is derived from the ElGamal encryption in such a way that we name it as a mutual “Encryption and Decryption” mechanism (refer to Appendix A for details). Similar but more re-cent proposals include the protocol of Goss [18], KEA [23] authenticated key agreement designed by NSA in 1994 (declassified in 1998) and Protocol 4 from Blake-Wilson et al. [3]. The design of our new ID-based AK protocol follows the idea behind the MTI/A0 protocol.
Paper Organization. The rest of the paper is structured as follows. In Section 2, we present the necessary background materials. Section 3 reviews Gentry’s ID-based encryption scheme. We then present our new protocols in section 4. In Section 5, we prove the security of our basic protocol without using random oracles. Section 6 concludes the paper. Finally, a high-level description of the common design strategy is given in Appendix A.
2
Technical Backgrounds
2.1 Security Attributes
Security attributes for AK(C) protocols have been identified in several previous work [4,21,6,13]. We briefly explain the security attributes as follows (refer to [4,21] for more detailed discussions):
– Known-key secrecy. Suppose an established session key between two entities is disclosed, the adversary is unable to learn other established session keys.
– PKG forward secrecy (PKG-FS).If in an ID-based key agreement protocol, the master key known only to the PKG is disclosed, the adversary is unable to derive old session keys established by that two entities. Note this attribute implies that the PKG is not able to passively escrow any session key of its users.
– Key-compromise impersonation (K-CI) resilience. Assume that entities A andB are two principals. SupposeA0ssecret key is disclosed. Obviously, an
adver-sary who knows this secret key can impersonateAto other entities (e.g.B). However, it is desired that this disclosure does not allow the adversary to impersonate other entities (e.g.B) toA.
– Unknown key-share (UK-S) resilience.EntityAcannot be coerced into sharing a key with entity B without A’s knowledge, i.e., when A believes that the key is shared with some entityC 6=B, andB (correctly) believes the key is shared with A.
– No key control.Neither the two protocol principals (Aand B) can predetermine any portion of the shared session key being established between them.
The main desirableperformance attributes include low computational overheads, a minimal number of passes (the number of messages exchanged in a run of the protocol), and low communication overheads (total number of bits transmitted).
2.2 Security Model for ID-Based AK Protocols
We now review the formal security model for ID-based authenticated key agreement protocols due to Chen, Cheng and Smart [11]. Their model is an adapted version of the model of Blake-Wilson et al. [3] – an extension of the Bellare-Rogaway model [8] in the public key setting.
The model includes a setUof participants modeled by an oracle (e.g.,Πn
I,Jrepresents
a participant I carrying out a protocol session in the belief that it is communicating with another participant J for the n-th time). Each participant has a long-term ID-based long-term public/private key pair, in which the public key is generated using her identity information and the private one is computed and issued secretly by a private key generator.
There is an active adversary (denoted byE) in the model modeled by a probabilistic polynomial time Turing Machine and has access to all the participants’ oracles as well as the random oracles in the game. Participant oracles only respond to queries by the adversary and do not communicate directly among themselves and there exists at least a benign adversary who simply passes messages between participants faithfully.
Definition of security in the model depends on the notion of thepartner oracles to any oracle being tested. In [11], partners have been defined by having the same session identifier (SID) which consists of a concatenation of the messages exchanged between the two. We defineSID(Πn
I,J) as the concatenation of all messages that oracleΠI,Jn has
sent and received.
Definition 1 (Partnership).Two oraclesΠn
I,J andΠn
0
J,I are said to be partner oracles
if they have accepted with the same SID.
The security of a protocol is defined via a two-phase game between a challenger C
and the adversaryE. In the first phase, the adversaryEis allowed to issue the following queries in any order.
Send: E can send message M toΠn
I,J. The oracle executes the protocol and responds
Reveal: This query asks the oracle to reveal whatever session key it currently holds. An oracle is calledrevealed if it has responded to aRevealquery.
Corrupt: This query asks a participant to reveal the long term private key. A partici-pant is called corrupted if it has responded to aCorruptquery.
Test: At some point,E can make a Test query to somefresh oracle (see Definition 2 below).Ereceives either the session key or a random value from a particular oracle. Specifically, to answer the query the fresh oracle flips a fair coinb ∈ {0,1}; if the answer is 0 it outputs the agreed session key, and if the answer is 1 it outputs a random element ofG2.
In the second phase,Ecan continue makingSend,RevealandCorruptqueries to the oracles, except thatEis not allowed to reveal the targetTestoracle or its partner oracle (if any), andE cannot corrupt participantJ (assumingΠn
I,J is theTestoracle).
Output: Finally,E outputs a prediction (b0) on b.E wins the game ifb0 =b, and we
define E’s advantage (l is the security parameter) in winning the game as
AdvantageE(l) =|Pr[b0=b]−1/2|.
Definition 2 (Fresh Oracle). An oracle Πn
I,J is called fresh if it has accepted (and
therefore holds a session key ski), it is not revealed,J has not been corrupted, and there
is no revealed oracle Πn0
J,I which is a partner oracle ofΠI,Jn .
Remark 1. The above definition of fresh oracle is particularly defined to cover the se-curity attribute of key-compromise impersonation resilience since it implies that the participantI could have been issued aCorruptquery [11].
Definition 3 (Secure AK Protocol [3]).A protocol is a secure AK protocol if:
1. In the presence of the benign adversary(who simply relays messages between parties without modification) onΠn
I,J andΠn
0
J,I, both oracles always accept holding the same
session key, and this key is distributed uniformly on session key space; and if for every adversaryE:
2. If uncorrupted oraclesΠn
I,J andΠn
0
J,I are partners in the sense of Definition 1 then
both oracles accept and hold the same session key; 3. AdvantageE(l)is negligible.
In the following, we briefly discuss the attributes that the above definitions of a secure AK achieves. Recall the security attributes which were mentioned above, and here we examine them one by one.
– Known-key secrecy. The property of known-key secrecy is implied by the above definitions of AK security. SinceE is allowed to makeRevealqueries to any oracles except for the targetTestoracleΠn
I,J and its partner oracleΠn
0
J,Ito obtain any session
keys. Even with the knowledge of many other session keys,E0s ability to distinguish
between the session key held byΠn
I,J and a random number is still negligible. That
is to say, the knowledge of any other session keys does not help E to deduce any information about the tested session key.
– Perfect forward secrecy (PFS).The definition does not imply the property of perfect forward secrecy. This is because the model does not allow the adversary to make queries of corrupted oracles and therefore does not model this type of attack. – Key-compromise impersonation (K-CI) resilience.As mentioned above, the
defini-tion of fresh oracle imply the key compromise impersonadefini-tion property.
– Unknown key-share (UK-S) resilience.The definition also imply the unknown key-share resilience property. IfIDI establishes a session key withIDJthough he believes
skIK. At the same time, there is an oracle Πn
0
J,I that holds this session key skIK,
for somen0 (normallyn0=n). During an unknown key share attack, the userID
K
may not know this session key. Since Πn
I,K and Πn
0
J,I are not partner oracles, the
adversary can make a Revealquery toΠn0
J,I to learn this session key before asking
aTestquery toΠn
I,K. Thus the adversary will succeed for thisTestquery challenge
(i.e., the protocol is not secure) if the unknown key share attack is possible. By contradiction, a secure protocol in the model is resistant to the unknown key share attack.
– No key control. The above definition of AK security does not imply resilience to key control attacks that are launched by one of the protocol participants. However, key control attacks launched by an outside adversary are captured by the model. In the model, all participants are assumed to be honest participants. If the protocol is not attacked (i.e., can be proven secure in the model), then we can be assure that the session key established is distributed uniformly at random in the session key space. Otherwise, the adversaryE must have a non-negligible ability to distinguish between the session key held byΠn
I,J and a random number.
2.3 Bilinear Pairings
We briefly review the necessary facts about bilinear pairings [1]. Let G1 be a cyclic
multiplicative group generated by an element g, whose order is a prime p, and G2 be
a cyclic multiplicative group of the same prime order p. We assume that the discrete logarithm problem (DLP) in bothG1andG2 are hard.
Definition 4. An admissible pairing e is a bilinear map e : G1×G1 → G2, which
satisfies the following three properties:
1. Bilinear: If u, v∈G1 anda, b∈Z∗p, thene(ua, vb) =e(u, v)ab;
2. Non-degenerate:e(g, g)6= 1;
3. Computable: Ifu, v∈G1, one can computee(u, v)∈G2 in polynomial time.
2.4 Complexity Assumptions
The security of Gentry’s IBE system [17] is based on a complexity assumption that they callthe truncated augmented bilinear Diffie-Hellman exponent assumption(the truncated q-ABDHE). We recall the truncated decisionq-ABDHE problem as follows (refer to [17] for detailed description).
Truncated Decision q-ABDHE Problem.Given a vector ofq+ 3 elements
(g0, g0αq+2, g, gα, gα2, ..., gαq)∈Gq1+3
as input (hereα∈Zp), an algorithmBthat outputsb∈ {0,1}has advantage²in solving
the truncated decision q-ABDHE if
|Pr[B(g0, g0αq+2, g, gα, gα2, ..., gαq, e(gαq+1, g0)] = 0
−Pr[B(g0, g0αq+2
, g, gα, gα2
, ..., gαq
, Z) = 0]|≥²
where the probability is over the random choice of generators g, g0 ∈ G
1, the random
choice of α∈Zp, the random choice ofZ∈G2 , and the random bits consumed byB.
The security of our escrowless version of the key agreement protocol is based on the following variant of the truncated q-ABDHE problem, with two additional elements g and gα being given as input. We note that this modified problem is believed to be as
Modified Truncated q-ABDHE Problem.Given a vector ofq+ 5 elements
(g0, g0αq+2, g, gα, t, tα, tα2, ..., tαq)∈Gq1+5
as input, an algorithmBthat outputsb∈ {0,1}has advantage²in solving themodified truncated decisionq-ABDHE if
|Pr[B(g0, g0αq+2
, g, gα, t, tα, tα2
, ..., tαq
, e(tαq+1
, g0)] = 0 −Pr[B(g0, g0αq+2, g, gα, t, tα, tα2, ..., tαq, Z) = 0]|≥²
where the probability is over the random choice of generatorsg,g0, t∈G
1, the random
choice of α∈Zp, the random choice ofZ∈G2 , and the random bits consumed byB.
Definition 5 ((Modified) Truncated Decision (t, ², q)-ABDHE Assumption). We say that the truncated decision(t, ², q)-ABDHE assumption (resp. the modified trun-cated decision (t, ², q)-ABDHE assumption) holds in G1 if no t-time algorithm has
ad-vantage at least²in solving the truncated decisionq-ABDHE problem (resp. the modified truncated decision q-ABDHE problem) in G1.
3
Review of Gentry’s IBE Scheme
In this section, we review the first construction of Gentry from [17], which is a chosen-plaintext secure ElGamal-type IBE scheme (proven in the standard model).
LetG1andG2be groups of prime orderp, and lete:G1×G1→G2be the bilinear
pairing. The IBE system works as follows.
Setup: The PKG chooses two random generators g, h ∈ G1 and a random α ∈ Zp,
calculatesg1=gα∈G1. It sets the publicparams ashg, g1, hiand themaster-key asα.
Key Generation:To generate a private key for identityID∈Zp, the PKG generates
a random rID ∈ Zp, and outputs the private key asdID = hrID, hIDi, wherehID =
(hg−rID)1/(α−ID). (The PKG ensures that ID6=αand it always assigns identicalr
ID
for a given identityID.)
Encryption:The sender picks randomly as∈Zp, using the receiver’s identityID, sets
the ciphertext to be (to encrypt message m∈G2)
C= (gs
1g−s·ID, e(g, g)s, m·e(g, h)−s).
Decryption: To decrypt ciphertext C = (u, v, w), the decrypter of the identity ID computes
m=w·e(u, hID)·vrID.
Consistence: The recipient can correctly decryptC to getmsince
e(u, hID)·vrID
=e(gs(α−ID), h1/(α−ID)g−rID/(α−ID))·e(g, g)srID =e(g, h)s.
4
Proposed ID-Based Key Agreement Protocols
4.1 An ID-Based Key Agreement Protocol with Escrow
Our first protocol (named as Protocol I) does not provide PKG forward secrecy (or master-key forward secrecy), i.e., when the maser keyαof the PKG is compromised, an adversary who gets it can recover all the users’ past session keys. Equivalently, this means that the PKG canescrow all the session keys (refer to [13,20] for more details). Clearly, for any ID-based key agreement protocol, perfect forward secrecy (PFS) is implied by the PKG forward secrecy. Whereas, our second protocol (named as Protocol II) provides the PKG forward secrecy. Both of our protocols are two-pass protocol withmutual implicit key authentication (IKA). We note that it is readily to extend our protocols into 3-pass AKC protocols, using the common method given in [3,13].
As with all the other ID-based AK protocols we assume the existence of a PKG that is responsible for the creation and secure distribution of users’ private keys.
Protocol I consists of three stages, i.e.Setup,Key GenerationandKey Agreement. The Setup and Key Generation stages are identical to that of Gentry’s IBE scheme [17].
Suppose two principals Alice and Bob are about to agree on a session key (we de-note their identity Ident as A and B, respectively), we follow previous notations and hereafter, let gIdent=g1g−IDIdent andgT =e(g, g), whereIdent∈ {A, B}. We denote
the participant’s private key as hrID, hIDi. TheKey Agreementstage is as follows.
Key Agreement.To establish a shared session key, Alice and Bob each firstly generates an ephemeral private key (sayxandy∈Zp), and compute the corresponding ephemeral
public keys T11 = gxB, T12 = gxT and T21 = gAy, T22 =gyT. They then exchange T1 =
T11||T12 and T2 = T21||T22 as described in Figure 1 (where the symbol 00||00 denotes
concatenation).
Alice (A) Bob (B)
x∈RZp y∈RZp
T11=gBx,T12=gTx T21=gAy,T22=gyT T1=T11||T12
−−−−−−−−−−→
T2=T21||T22 ←−−−−−−−−−−
KAB= [e(T21, hA)·(T22)rA]·e(g, h)x KBA= [e(T11, hB)·(T12)rB]·e(g, h)y
skA=H2(A||B||T1||T2||KAB) skB =H2(A||B||T1||T2||KBA)
Fig. 1.Protocol I
1. Alice computes the shared secretKAB as follows:
KAB= [e(T21, hA)·(T22)rA]·e(g, h)x.
2. Bob computes the shared secretKBAas follows:
KBA= [e(T11, hB)·(T12)rB]·e(g, h)y.
KAB=e(T21, hA)·(T22)rA·e(g, h)x
=e(gyA,(g−rAh)1/(α−IDA))·(gy
T)rA·e(g, h)x
=e(gy(α−IDA),(g−rAh)1/(α−IDA))·(gy
T)rA·e(g, h)x
=e(gy, g−rAh)·(gy
T)rA·e(g, h)x
=e(gy, g−rAh)·e(g, g)yrA·e(g, h)x =e(gy, g−rAh)·e(gy, grA)·e(g, h)x =e(gy, g−rAhgrA)·e(g, h)x
=e(gy, h)·e(g, h)x
=e(g, h)x+y.
KBA=e(T11, hB)·(T12)rB·e(g, h)y
=e(gBx,(g−rBh)1/(α−IDB))·(gxT)rB·e(g, h)y
=e(gx(α−IDB),(g−rBh)1/(α−IDB))·(gx
T)rB·e(g, h)y
=e(gx, g−rBh)·(gx
T)rB·e(g, h)y
=e(gx, g−rBh)·e(g, g)xrB·e(g, h)y =e(gx, g−rBh)·e(gx, grB)·e(g, h)y =e(gx, g−rBhgrB)·e(g, h)y
=e(gx, h)·e(g, h)y
=e(g, h)x+y =KAB.
The final shared secret session key is then sk = H2(A||B||T1||T2||K), where H2 :
{0,1}∗→ {0,1}k is akey derivation function (in whichk=|sk|). Note here we include
the transcript (T1 and T2) in the key derivation function to resist the potential key
replicating attack (whereby an adversary is somehow able to manipulate the shared secret Kusing his own contributions while he still does not know the value ofK) [10].
Efficiency.Protocol I is role symmetric, which means that each party performing the same operations. Protocol I has comparable computational efficiency to those protocols from [13,20] (which are only proven secure in the random oracle model). In Protocol I, each participant has to generate a random number, perform one exponentiations inG1,
two exponentiations in G2, and compute two pairings (which are the most expensive
operations in the protocol and one of these pairings can be precomputed). We leave out multiplication in G1 and pairing multiplication in G2, and hashing as they are fast to
compute compared to the other principle operations.
Compared with the Chen-Kudla protocol [13] and the McCullagh-Barreto protocol [20], Protocol I is less efficient on the message bandwidth since two message blocks (as opposed to only one) need to be distributed by each user.
Escrow. The escrow property derives from the PKG’s ability to recover the shared session key, since with the knowledge of all the two users’ private keys, the PKG is also able to calculate e(g, h)x ande(g, h)y using the publicly transmitted data.
4.2 An ID-Based Key Agreement Protocol Without Escrow
the protocols in [13], Protocol II does not bring additional communication cost. We now introduce Protocol II, which has PKG forward secrecy (or, master-key forward secrecy).
Setup: Compared with the original Setup algorithm, the new public parameter has one more generator (denoted as t) of group G1. Now the PKG chooses three random
generatorsg, h, t∈G1and a randomα∈Zp, calculatesg1=gα∈G1. It sets the public
params as< g, g1, h, t >and themaster-key asα.
Key Generation:To generate a private key for identityID∈Zp, the PKG generates
a random rID ∈ Zp, and outputs the private key asdID = hrID, hIDi, wherehID =
(ht−rID)1/(α−ID). (Again, the PKG ensures thatID6=αand it always assigns identical rID for a given identityID.)
Suppose that Alice and Bob are about to agree on a session key (we denote their identityIdentasAandB, respectively), we letgIdent=g1g−IDIdent andtT =e(g, t)∈
G21. TheKey Agreementstage is as follows.
Key Agreement.To establish a shared session key, Alice and Bob each firstly generates an ephemeral private key (sayxandy∈Zp), and compute the corresponding ephemeral
public keys T11 = gxB, T12 = txT and T21 = gAy, T22 = tyT. They then exchange T1 =
T11||T12 andT2 =T21||T22 and compute the session key as described in Figure 2, with
extra operations (in contrast to Protocol I) underlined.
Alice (A) Bob (B)
x∈RZp y∈RZp
T11=gBx,T12=txT T21=gyA,T22=tyT T1=T11||T12
−−−−−−−−−−→
T2=T21||T22 ←−−−−−−−−−−
KAB1= [e(T21, hA)·(T22)
rA]·e(g, h)x KBA
1 = [e(T11, hB)·(T12)
rB]·e(g, h)y
KAB2 =T
x
22=txyT KBA2 =T
y
12=t
xy T
skA=H2(A||B||T1||T2||KAB1||KAB2) skB=H2(A||B||T1||T2||KBA1||KBA2)
Fig. 2.Protocol II
Protocol Correctness: Both Alice and Bob will compute the same session key since we have the following equations:
1Note that in Protocol I, the corresponding component isg
KAB1 =e(T21, hA)·(T22)
rA·e(g, h)x =e(gAy,(ht−rA)1/(α−IDA))·(ty
T)rA·e(g, h)x
=e(gy(α−IDA),(ht−rA)1/(α−IDA))·(ty
T)rA·e(g, h)x
=e(gy, ht−rA)·(gy
T)rA·e(g, h)x
=e(gy, ht−rA)·e(g, t)yrA·e(g, h)x =e(gy, ht−rA)·e(gy, trA)·e(g, h)x =e(gy, ht−rAtrA)·e(g, h)x
=e(gy, h)·e(g, h)x
=e(g, h)x+y =KBA1,
KAB2 =T
x
22=e(g, t)xy =KBA2.
Efficiency.Protocol II is also role symmetric. Obviously, compared with Protocol I, Protocol II only requires one more exponentiations inG2for each participant.
Protocol II has exactly the same communication efficiency as Protocol I.
Escrowless.Notice that withα, the PKG is able to calculategx(resp.gy) fromT
11=
gx(α−IDB)(resp.T21=gy(α−IDA)). Protocol II avoids session key escrow since the PKG is still not able to compute txyT =e(g, t)xy. We note that calculating the keying term
txyT fromtx
T andtyT involves solving the Computational Diffie-Hellman Problem (CDHP)
over the group G2.
4.3 Key Agreement Between Users of Separate PKGs
We now look at ID-based key agreement protocols between users of separate PKGs. The first such protocol was suggested by Chen and Kudla in [13], and [20] also gives an efficient construction. Based on our new protocol given above, we propose another ID-based key agreement protocol across separate PKGs. Again, we note that this protocol can be instantiated in escrowed or escrowless mode.
For key agreement to be feasible between users of distinct PKGs, it is required that the PKGs use the globally agreed domain parameters. Since elliptic curves, suit-able group generator points (i.e.,g andh) and other cryptographic tools such as hash functions, have been standardised for security applications, for example in the NIST FIPS standards, it is therefore reasonable to assume the availability of standard pairing-friendly curves as well [20]. Once these group generator points and curves have been agreed upon, each PKG can generate their own random master secret key (i.e. α).
Suppose that Alice is a user of the private key generator PKGA (with a a master
secret αA), and Bob is a user of the private key generator PKGB (with a master secret
αB). Therefore, Alice’s private key is generated by PKGA with αA and Bob’s private
key is generated by PKGB with αB. Assume that Alice (resp. Bob) has obtained an
authentic copy of the public key of PKGB (resp. PKGA). Alice and Bob now perform
the authenticated key agreement depicted in Figure 3.
On Escrow(less).Correctness of Protocol III can be easily checked. In this protocol, neither PKGAnor PKGB can escrow the established session keys. But if the two PKGs
work together (or collude) they still can passively escrow all their users’ session keys via K= [e(T21, hA)·(T22)rA]·[e(T11, hB)·(T12)rB], since the two users’ private keyshrA, hAi
andhrB, hBiare known to their PKGs.
Alice (A) Bob (B)
x∈RZp y∈RZp
T11= (gαBg−IDB)x,T12=gxT T21= (gαAg−IDA)y,T22=gTy T1=T11||T12
−−−−−−−−−−→
T2=T21||T22 ←−−−−−−−−−−
KAB= [e(T21, hA)·(T22)rA]·e(g, h)x KBA= [e(T11, hB)·(T12)rB]·e(g, h)y
skA=H2(A||B||T1||T2||KAB) skB =H2(A||B||T1||T2||KBA)
Fig. 3.Protocol III
Efficiency. Protocol III has identical computational and communication efficiencies with Protocol I.
5
Security Proof
Since the above three protocols have similar structures, it is sufficient to consider only the security of the basic protocol, Protocol I. We postpone the proofs of the security of Protocol II and Protocol III to the full version of this paper. Here we suggest that Proto-col II can be proven secure using themodified truncated decisionq-ABDHE assumption (see Section 2.4).
With the description of the security model in Section 2.2, we now state:
Theorem 1. If the truncated decisionq-ABDHE assumption holds for the pair of groups G1 andG2, then Protocol I is a secure AK protocol.
Proof. Our proof is closely based on the security proof of Gentry’s first IBE scheme [17]. Condition 1 follows from the assumption that the two oracles follow the protocol and E is benign. In this case, both oracles accept (since they both receive correctly formatted messages from the other oracle) holding the same keysk (sinceKAB =KBA
by the bilinearity of the pairing and the partnership).
Condition 2 follows from the fact that if the two oracles are uncorrupted, then they cannot be impersonated, and if they are partners then each has received properly for-matted messages from the other. So they will both accept holding the same session key sk. In the following, we show that the Condition 3 is also satisfied.
For a contradiction, assume that there is an adversary E against Protocol I that has a non-negligible advantage ² in guessing correctly whether the response to a Test query is real or random (i.e., winning the attacking game defined in Section 2.2). Out of this adversary, we show how to construct a simulator S that solves the truncated decision q-ABDHE problem with non-negligible advantage ²0. Given input of the two
groupsG1,G2, the bilinear mape, and a random truncated decisionq-ABDHE challenge
(g0, g0αq+2
, g, gα, gα2
, ..., gαq
, Z),S0stask is to distinguish whetherZ is e(gαq+1
, g0) or a
random element ofG2.
We assume that the game between S and E involves at most q−1 parties. We shall slightly abuse the notation Πn
A,B to refer to the n-th one among all the oracles
in the game, instead of the n-th instance of participant A. As n is only used to help identify oracles, this notation change will not affect the soundness of the model. LetNs
be an upper bound on the number of oracles invoked byEin the game and assume that S guesses that the oracle Πs
I,J (s ∈ {1, ..., Ns}) is to be asked the Test query by the
Setup:This stage is identical to that of [17].S generates a random polynomialf(x)∈
Zp[x] of degree q. It sets h =gf(α), computing h from (g, gα, gα
2
, ..., gαq
). It sets the public key as (g, g1=gα, h) and sends it toE. Clearly, this public key has a distribution
identical to that in the actual construction. Note that the master key is α, which is unknown to S.
Corrupt queries:S simulates theCorruptquery on inputIDias follows. IfgIDi =g1,
then we haveIDi=α,Scan usesαto solve the truncated decisionq-ABDHE problem
immediately. Else, letFID(x) denote the (q−1)-degree polynomial (f(x)−f(ID))/(x−
ID).S sets the private keyhrIDi, hIDiito be (f(IDi), g
FIDi(α)). This is a valid private
key forIDi, sincegFIDi(α)=g(f(α)−f(IDi))/(α−IDi)= (hg−f(IDi))1/(α−IDi), as required.
In order to keep the secrecy of the polynomialf(x), we require that the total number of theCorruptquery is less than q(the degree off(x)). Sincef(x) is a uniformly random polynomial, this private key appears to E to be correctly distributed.
Send queries:Letf2(x) =xq+2 andF2,IDJ(x) = (f2(x)−f2(IDJ))/(x−IDJ), which is a polynomial of degree q+ 1.
S answers all Send queries as specified for a normal oracle, i.e., for the only Send query to an oracle,S takes a random value inZp to form its contribution.
WhenE asks a Send query to the oracleΠs
I,J, S computes protocol messages TI1
andTI2 forΠI,Js as follows:
TI1=g0f2(α)−f2(IDJ),
TI2=Z·e(g0,
q
Y
l=0
(gαl
)F2,IDJ ,l),
whereF2,IDJ,l is the coefficient ofx
l inF
2,IDJ(x). We write the protocol messages that the oracle Πs
I,J obtained as TJ1 and TJ2. S
computes the session secretKIJ forΠI,Js as follows:
KIJ = [e(TI1, hJ)·TIr2J]·[e(TJ1, hI)·TJrI2].
S computes the final session keyskI ofΠI,Js as
skI =H2(I||J||TI1||TI2||TJ1||TJ2||KIJ).
Letλ= (loggg0)F2,IDj(α). IfZ=e(g
αq+1
, g0), thenT
I1=gλ(α−IDJ),TI2=e(g, g)λ.
As a result,e(TI1, hJ)·T2rJ =e(g, h)λandKJI =e(g, h)λ·[e(TJ1, hI)·TJrI2] is a valid and
appropriately-distributed session secret for the oracle Πs
I,J. Therefore, the output skI
is a valid session key for oracle Πs
J,I under randomness of λ. Since loggg0 is uniformly
random,λis uniformly random, and soskI is a valid, appropriately-distributed challenge
forE.
Reveal queries: If the query is directed at the oracle Πs
I,J or its partner oracle (if it
exists),S aborts with failure (Event 1). Otherwise, it gives the session key hold by the oracle to E.
Test query:At some point in the simulation, E will ask a Testquery of some oracle. IfE does not choose the guessed oraclesΠs
I,J to ask theTestquery, thenS aborts with
failure (Event 2). However if E does pickΠs
I,J for the Testquery, S providesE with
skI as the response.
Guess: After theTestquery, the algorithmE outputs its guessb0∈ {0,1}.
We claim that ifSdoes not abort during the simulation thenE0s view is identical to
abort. If the adversary indeed has chosen the s-th oracle (i.e. Πs
I,J) as the test oracle,
then by the rules of the game Event 1and2would not happen. We have
Pr[S does not abort]≥ 1
Ns
.
Solving the truncated decisionq-ABDHE problem:S simply forward the output b0 ofE to its challenger of the truncated decisionq-ABDHE problem.
Probability Analysis: IfZ =e(gαq+1
, g0), then the simulation is perfect, and E will
win the game with probability ²+ 1/2. Else,Z is uniformly random, and thusTI1 and
TI2 are uniformly random and independent element of G1 and G2, respectively. Since
by the rules of the game thatJ is uncorrupted, we know thatKIJ and the response to
theTestquery (i.e.skI) are also uniformly random and independent fromE’s view. In
this case,E has no advantage in winning the game, i.e.,E will guess correctly whether skI is real or random with probability 1/2.
We are now ready to calculate theS’s advantage²0in solving the truncated decision
q-ABDHE problem:
|Pr[B(g0, g0αq+2, g, gα, gα2, ..., gαq, e(gαq+1, g0)] = 0
−Pr[B(g0, g0αq+2
, g, gα, gα2
, ..., gαq
, Z) = 0]|≥1/2 +²−1/2 =².
As mentioned above, the probability that S does not abort is as least 1/Ns.
Com-bining these two results, we have
²0 =²/N
s.
The analysis of time-complexity is identical to that of the proof in [17]. In the simula-tion,S’s operation is dominated by computinggFID(α)in response toE’sCorruptquery onID, whereFID(x) is a polynomial of degreeq−1. Each such computation requires
O(q) exponentiations inG1. The time-complexity ofS is thereforet+O(texp·q2). ut
6
Conclusion
We presented a new identity-based authenticated key agreement protocol inspired by Gentry’s IBE system. We showed that the new protocol can be instantiated in either escrowed or escrowless mode, and also give a protocol which is suitable for circumstances where there are separate private key generators. Finally, we proved that the security of the proposed protocol (in its basic form) is relative to the decision truncated Augmented Bilinear Diffie-Hellman Exponent (the decision truncated q-ABDHE) problem without using random oracles.
Acknowledgments
References
1. D. Boneh and M. Franklin. Identity-based encryption from the Weil pairing. In Proc. of CRYPTO 2001, LNCS vol. 2139, pp. 213-229. Springer-Verlag, 2001.
2. C. Boyd and R. Choo. Security of two-party identity-based key agreement. In Proc. of Mycrypt 2005, LNCS vol. 3715, pp.229-243. Springer-Verlag, 2005.
3. S. Blake-Wilson, D. Johnson, and A. Menezes. Key agreement protocols and their security analysis. InProc. of 6th IMA International Conference on Cryptography and Coding, LNCS vol. 1355, pp. 30-45. Springer-Verlag, 1997.
4. S. Blake-Wilson and A. Menezes. Authenticated Diffie-Hellman key agreement protocols. In Proc. of SAC 1998, LNCS vol. 1556, pp. 339-361. Springer-Verlag, 1999.
5. C. Boyd, W. Mao, and K. Paterson. Key agreement using statically keyed authenticators. InProc. of ACNS 2004, LNCS vol. 3089, pp. 248-262. Springer-Verlag,, 2004
6. C. Boyd and A. Mathuria. Protocols for Authentication and Key Establishment. Springer-Verlag, June 2003.
7. M. Bellare and P. Rogaway, Random oracles are practical: a paradigm for designing effiient protocols, InProc. of First ACM Conference on Computer and Communications Security, pp.62-73, ACM press, 1993.
8. M. Bellare and P. Rogaway. Entity authentication and key distribution. InProc. of CRYPTO 1993, LNCS vol. 773, pp. 110-125. Springer-Verlag, 1994.
9. M. Burmester. On the risk of opening distributed keys. InProc. of CRYPTO 1994, LNCS vol. 839, pp. 308-317. Springer-Verlag, 1994.
10. K.-K. R. Choo, C. Boyd, and Y. Hitchcock. On session key construction in provably secure protocols. InProc. of MYCRYPT 2005, LNCS vol. 3715, pp. 116-131. Springer-Verlag, 2005. 11. L. Chen, Z. Cheng, and N. P. Smart. Identity-based key agreement protocols from pairings.
Cryptology ePrint Archive, Report 2006/199.
12. Y. J. Choie, E. Jeong and E. Lee. Efficient identity-based authenticated key agreement protocol from pairings.Journal of Applied Mathematics and Computation, 162(1), pp. 179-188, 2005.
13. L. Chen and C. Kudla. Identity based key agreement protocols from pairings. In Proc. of the 16thIEEE Computer Security Foundations Workshop, pp. 219-213. IEEE Computer Society, 2002.
14. W. Diffie, M.E. Hellman. New directions in cryptography.IEEE Trans. Inf. Theory, 22(6), pp.644 - 654, 1976.
15. T. ElGamal. A public key cryptosystem and signature scheme based on discrete logarithms. IEEE Trans. Info. Theory, 31(4), pp. 469-472, 1985.
16. C. Gentry. Certificate-based encryption and the certificate-revocations problem. InProc. of EUROCRYPT 2003, LNCS vol. 2656, pp. 272- 291. Springer-Verlag, 2003.
17. C. Gentry. Practical identity-based encryption without random oracles. InProc. of EURO-CRYPT 2006, LNCS vol. 4004, pp. 445-464. Springer-Verlag, 2006.
18. K. C. Goss. Cryptographic method and apparatus for public key exchange with authenti-cation. US Patent 4,956,863, September 1990.
19. S. Kunz-Jacques and David Pointcheval. About the Security of MTI/C0 and MQV. In Proc. of SCN 2006. LNCS vol. 4116, pp. 156-172. Springer-Verlag, 2006.
20. N. McCullagh and P.S.L.M. Barreto. A new two-party identity-based authenticated key agreement. InProc. of CT-RSA 2005, LNCS vol. 3376, pp. 262-274. Springer-Verlag, 2005. 21. A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied Cryptography, pp.
237-238. CRC Press, 1997.
22. T. Matsumoto, Y. Takashima and H. Imai. On seeking smart public-key distribution sys-tems.Trans. IECE of Japan, E69, pp.99-106, 1986.
23. NIST, SKIPJACK and KEA Algorithm Specification, http://csrc.nist.gov/encryption /skipjack/skipjack.pdf, 1998.
24. E.K. Ryu, E.J. Yoon, and K.Y. Yoo. An efficient ID-based authenticated key agreement protocol from pairings. InProc. of NETWORKING 2004, LNCS vol. 3042, pp. 1458-1463. Springer-Verlag, 2004.
25. A. Shamir. Identity-based cryptosystems and signature schemes. In Proc. of CRYPTO 1984, LNCS vol. 196, pp. 47-53. Springer-Verlag, 1984.
27. K. Shim. Efficient ID-based authenticated key agreement protocol based on Weil pairing. Electron. Lett., 39(8), pp. 653-654, 2003.
28. Y. Wang. Efficient identity-based and authenticated key agreement protocol. Cryptology ePrint Archive, Report 2005/108.
29. G. Xie. An ID-based key agreement scheme from pairing. Cryptology ePrint Archive, Re-port 2005/093.
A
A Design Strategy for ID-Based AK Protocols
Here we describe in detail the design strategy we used in this paper, i.e. a generic method for deriving ID-based authenticated key agreement protocols from any ElGamal-type ID-based encryption system.
To illustrate the ideas behind the strategy, we first recall the so-calledElGamal one-pass unilateral key agreement protocol that was first given in Chap. 12 of [21]. We quote it as follows.
ElGamal key agreement is a Diffie-Hellman variant providing a one-pass protocol with unilateral key authentication (of the intended recipient to the originator), provided the public key of the recipient is known to the originator a priori. While related to ElGamal encryption, the protocol is more simply Diffie-Hellman key agreement wherein the public exponential of the recipient is fixed and has verifiable authenticity (e.g., is embedded in a certificate).
Informally, the protocol proceeds as follows. The senderAforms asharedsecret using her random input rA in combination with B’s long-term public key YB by computing
K=YrA
B . On receipt of the ephemeral public keyTA=rAP, the receiverB is able to
reconstruct the session key K=TxB
A , wherexB is the corresponding private key toYB.
The two-pass MTI/A0 protocol can be seen as a parallel execution of ElGamal one-pass key agreement protocol. It yields session keys with mutual (implicit) key authen-tication against passive attacks. As in ElGamal one-pass key agreement, Asends toB a single message, resulting in the shared keyK.B independently initiates an analogous protocol withA, resulting in the shared keyK0.AandB then output theKK0 as their
agreed session key.
Note that although the original MTI/A0 protocol is of certain security weaknesses, e.g., it doesn’t provide perfect forward secrecy and is vulnerable to some active attacks such as unknown key-share attacks [6], triangle attacks [9], the elegant idea behind it is very useful in Diffie-Hellman authenticated key agreement protocol design.
The above idea can be applied to the design of ID-based AK protocols. In fact, Smart’s protocol [26] is the first such example.
So far, we are ready to define a general framework, named asthe generic MTI/A0 protocol (GMP), for the design of ID-based AK protocols based on an ElGamal-type IBE scheme.
Definition 6 (Generic MTI/A0 Protocol (GMP)).Suppose we have an ElGamal-type IBE scheme and two users (Alice and Bob) want to agree on a shared session key. They does the following:
1. Alice (Bob) firstly generates her (his) ephemeral private key, then computes her (his) ephemeral public keyP Keph using the public parameters of the system, finally she
(he) sendsP Kephto Bob (Alice).
2. Alice (Bob) uses the ephemeral private key generated in Step 1 to compute the ElGamal encryption session key KEn.
4. Alice (Bob) computes her (his) final session keyskas
sk=KEn∗KDe,
where the symbol “∗” stands for a commutative operation, e.g., multiplication, ad-dition, or bitwise XOR.
